SIEM: What Is SIEM, How It Works, and Useful Resources

  • SIEM

What is a SIEM?

SIEM stands for Security information and event management. This technology has existed since the late 1990s. Traditional SIEM has been joined by a broad use log management technology that focuses on collecting various types of logs and events for different purposes, such as:

  • security monitoring
  • threat detection
  • digital forensics
  • security incident response
  • regulatory compliance
  • system management
  • and application troubleshooting

SIEM vendors usually provide different combinations of functionalities to offer the benefits listed above. Log management alone doesn’t provide the ability to handle the diverse use-cases required by modern businesses, so SIEMs are more complicated and mature in how they operate.

How Do SIEM Tools Work?

Most SIEM tools collect and analyze logs. Based on the data gathered, they report and visualize the aggregated data, helping security teams to detect and investigate security threats. The SIEM use cases normally focus on information security, network security, data security as well as regulatory compliance. Most SIEM tools offer a combination (or all of) the following features:

  • Log and context data collection
  • Normalization and categorization
  • Correlation
  • Notification/alerting
  • Prioritization
  • Real-time views
  • Reporting
  • Security role workflow

How did SIEM evolve and How Is the Next-Gen SIEM Any Different?

SIEMs, like any other information security tools, are naturally evolving to meet the ever-changing needs of the organizations. They become “smarter”, and with every day they become more and more useful for many other teams besides DevOps. For example, in our ebook “Audit Trail: Benefits Beyond Forensics” – we reviewed how audit trail has evolved to a powerful tool for demonstrating compliance, improving business processes, and detecting fraud. SIEM solutions will continue their evolution process, offering more and more security benefits.

We believe that going forward, some of the important problems that next-gen SIEMs should cover will be:

  • Helping security analysts and sysadmins rather than burdening them with alerts – false positives have always been the bane of SIEMs. Going forward, SIEMs should take steps to reducing the noise. Automation is one of the possible approaches that has become a separate, vibrant category.
  • End-to-end encryption – SIEMs are moving rapidly to the cloud but that poses security and privacy challenges. We believe that everything should be encrypted prior to being sent, so that even cloud SIEM vendors can’t have access to the data.
  • Indisputable log integrity – log integrity, non-repudiation, and compliance using our state-of-the-art cryptographic technologies will be a strict requirement in the future, as data manipulation and forensic tampering will be increasingly realized as serious security threats.
  • Machine Learning for immediate anomaly detection – Detecting anomalies in the face of a continuous stream of unstructured data from various sources is challenging. Thanks to the growth of various deep learning technologies, anomaly detection using machine learning is a practical solution today. SIEMs will strive to build robust anomaly detection with machine learning for pinpointing rare event patterns or potential problems.
  • Phishing protectionphishing attempts have grown 65% in the last year alone.  Phishing accounts for 90% of data breaches. Therefore, more and more SIEMs will be offer anti-phishing functionality. Even though SIEMs are typically seen as “monitor-only” with the right automation and response tools, they can effectively stop phishing.
  • Attack-vector specific monitoring – The MITRE ATT&CK framework clarified and publicized how attackers get access to target systems. SIEMs have started mapping events to the MITRE framework, but that’s not enough – there should be dedicated functionalities targeting the most prominent attack vectors. Phishing, as shown above, is just one example.

While “next-gen” isn’t an official term, many SIEMs are gradually moving out of the old “collect logs and apply rules” paradigm into solving problems of the current complex environment.

We, at LogSentinel, are developing such a Next-Gen SIEM, offering a superior business model for a successful SIEM implementation, covering the main obstacles that companies usually face while integrating it:

  • Easy and straight-forward integration
  • Predictable Pricing
  • Bundled Managed Service
  • Excellent Cloud Support

SIEM Resource Bank

If you would like to dig deeper in SIEM and its application in compliance and information security, we have prepared some insightful articles for you:

SIEM Solutions and Data Protection Compliance

The technical aspects of regulations ( e.g. GDPR, SOX, FISMA, HIPAA, etc) require paying better attention to the way companies store their personal data. SIEM systems can ease the process of storing evidence of compliance. They also ensure advanced threat detection of malicious activities. This way the processes become manageable and the data protection officers of medium and big companies can get better visibility over the processes within the organization, as well as to take measures for preventing security incidents. To find out how SIEM solutions can help you in your efforts to achieve regulatory compliance, read our full article. 

Does Your SIEM Guarantee Log Integrity? And Does It Make You Compliant?

SIEMs are meant to collect logs from various sources. These logs, allegedly, can be used later as an audit trail to help figure out what happened. Unfortunately, if you can’t trust the audit logs, you can’t be sure what happened. Not only that – you can’t convince anyone else., and therefore can’t comply with regulatory requirements. To find out how to guarantee log integrity using your SIEM, read this article.

Too often organizations have just one tool (either a SIEM, or a simple log collector, UEBA, Audit Trail, or etc) that collects all logs in hope that the chosen tool covers all purposes for collecting logs. This is often wrong but unfortunately reinforced by the tools’ marketing materials. In this article, we gathered insights about the log collectors landscape, and their best use cases, to help you get a better idea of their functionalities: Log Collectors Landscape: SIEM, Log Collectors, UEBA, and Audit Trail

Log Integrity: How SIEMs Address the Issue and Is It Enough?

Log integrity and non-repudiation are key properties of audit logs. As SIEMs are usually the way to collect audit logs (among many other things) in large organizations, we have to make sure they give us those properties. Learn how SIEMs address this issue and what features to be looking for: Log Integrity: How SIEMs Address the Issue and Is It Enough?

SIEM Costs: Why Are SIEMs Expensive?

SIEM (Security Information and Event Management) systems have a reputation for being expensive. And that’s generally correct – they can cost hundreds of thousands per year or have huge upfront costs. But why is that? Read this article to find out about the top reasons for the SIEMs to be so expensive, and find out what are the cost-efficient solutions suitable for your business: Why Are SIEMs Expensive?

Track Events You Have Not Tracked Before

There are a lot of products that allow collecting data, aggregating it, and displaying it for security or monitoring purposes. That includes SIEMs, UEBAs (User and entity behavior analytics), log collectors, and catch-all multi-purpose data platforms (like Splunk). But what kind of events do they track and which ones of them are critical to your business? Read more in this article: Track Events You Have Not Tracked Before

Three Industry-Specific Aspects of SIEM

Security Information and Event Management systems are considered a “must-have” in many industries. They are effectively a horizontal security tool that improves security posture and improves visibility regardless of the domain specifics. Or at least it seems so at first. We classified some inevitable industry specifics in three different categories – industry-specific data sources, compliance, and threats. To find out insights about each of these categories, read our whole article: Three Industry-Specific Aspects of SIEM

[Free On-Demand Webinar]  Security Information and Event Management (SIEM): Benefits and Pitfalls 

Security Information and Event Management (SIEM) – What is it, why it matters for security and why do we need it? How simple logs can be turned into actionable insights? In this webinar we’ll be taking a closer look at when is a SIEM needed, what are SIEMs missing and when do they fail to provide value. We’ll review concepts like alert fatigue, threat intelligence, audit log integrity, log privacy, and more. Don’t miss our SIEM Webinar! Register here.

Interested in a SIEM Solution that combines log management, behavior analytics (UEBA), threat detection, and incident response into a complete security monitoring platform? Talk to us today!

REQUEST DEMO

Like this article? Share it with your network!